CN112550313A - Fault-tolerant embedded automotive application through cloud computing - Google Patents
Fault-tolerant embedded automotive application through cloud computing Download PDFInfo
- Publication number
- CN112550313A CN112550313A CN202011013752.3A CN202011013752A CN112550313A CN 112550313 A CN112550313 A CN 112550313A CN 202011013752 A CN202011013752 A CN 202011013752A CN 112550313 A CN112550313 A CN 112550313A
- Authority
- CN
- China
- Prior art keywords
- vehicle
- control unit
- electronic control
- local
- backup
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 claims abstract description 31
- 230000000116 mitigating effect Effects 0.000 claims description 16
- 230000000977 initiatory effect Effects 0.000 claims description 4
- 238000012546 transfer Methods 0.000 claims description 3
- 238000010586 diagram Methods 0.000 description 19
- 238000004891 communication Methods 0.000 description 13
- 230000008569 process Effects 0.000 description 10
- 230000005540 biological transmission Effects 0.000 description 7
- 230000001413 cellular effect Effects 0.000 description 5
- 238000004364 calculation method Methods 0.000 description 4
- 238000012423 maintenance Methods 0.000 description 2
- 230000007257 malfunction Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 230000007704 transition Effects 0.000 description 2
- 230000009471 action Effects 0.000 description 1
- 230000002411 adverse Effects 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 238000002485 combustion reaction Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 230000007613 environmental effect Effects 0.000 description 1
- 239000000446 fuel Substances 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 239000000463 material Substances 0.000 description 1
- 238000005259 measurement Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000000737 periodic effect Effects 0.000 description 1
- 230000002085 persistent effect Effects 0.000 description 1
- 230000001172 regenerating effect Effects 0.000 description 1
- 230000010076 replication Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
Images
Classifications
-
- B—PERFORMING OPERATIONS; TRANSPORTING
- B60—VEHICLES IN GENERAL
- B60W—CONJOINT CONTROL OF VEHICLE SUB-UNITS OF DIFFERENT TYPE OR DIFFERENT FUNCTION; CONTROL SYSTEMS SPECIALLY ADAPTED FOR HYBRID VEHICLES; ROAD VEHICLE DRIVE CONTROL SYSTEMS FOR PURPOSES NOT RELATED TO THE CONTROL OF A PARTICULAR SUB-UNIT
- B60W50/00—Details of control systems for road vehicle drive control not related to the control of a particular sub-unit, e.g. process diagnostic or vehicle driver interfaces
- B60W50/02—Ensuring safety in case of control system failures, e.g. by diagnosing, circumventing or fixing failures
- B60W50/023—Avoiding failures by using redundant parts
-
- B—PERFORMING OPERATIONS; TRANSPORTING
- B60—VEHICLES IN GENERAL
- B60W—CONJOINT CONTROL OF VEHICLE SUB-UNITS OF DIFFERENT TYPE OR DIFFERENT FUNCTION; CONTROL SYSTEMS SPECIALLY ADAPTED FOR HYBRID VEHICLES; ROAD VEHICLE DRIVE CONTROL SYSTEMS FOR PURPOSES NOT RELATED TO THE CONTROL OF A PARTICULAR SUB-UNIT
- B60W30/00—Purposes of road vehicle drive control systems not related to the control of a particular sub-unit, e.g. of systems using conjoint control of vehicle sub-units
- B60W30/18—Propelling the vehicle
- B60W30/18009—Propelling the vehicle related to particular drive situations
-
- B—PERFORMING OPERATIONS; TRANSPORTING
- B60—VEHICLES IN GENERAL
- B60W—CONJOINT CONTROL OF VEHICLE SUB-UNITS OF DIFFERENT TYPE OR DIFFERENT FUNCTION; CONTROL SYSTEMS SPECIALLY ADAPTED FOR HYBRID VEHICLES; ROAD VEHICLE DRIVE CONTROL SYSTEMS FOR PURPOSES NOT RELATED TO THE CONTROL OF A PARTICULAR SUB-UNIT
- B60W60/00—Drive control systems specially adapted for autonomous road vehicles
- B60W60/005—Handover processes
- B60W60/0059—Estimation of the risk associated with autonomous or manual driving, e.g. situation too complex, sensor failure or driver incapacity
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05D—SYSTEMS FOR CONTROLLING OR REGULATING NON-ELECTRIC VARIABLES
- G05D1/00—Control of position, course, altitude or attitude of land, water, air or space vehicles, e.g. using automatic pilots
- G05D1/0011—Control of position, course, altitude or attitude of land, water, air or space vehicles, e.g. using automatic pilots associated with a remote control arrangement
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05D—SYSTEMS FOR CONTROLLING OR REGULATING NON-ELECTRIC VARIABLES
- G05D1/00—Control of position, course, altitude or attitude of land, water, air or space vehicles, e.g. using automatic pilots
- G05D1/0088—Control of position, course, altitude or attitude of land, water, air or space vehicles, e.g. using automatic pilots characterized by the autonomous decision making process, e.g. artificial intelligence, predefined behaviours
-
- B—PERFORMING OPERATIONS; TRANSPORTING
- B60—VEHICLES IN GENERAL
- B60W—CONJOINT CONTROL OF VEHICLE SUB-UNITS OF DIFFERENT TYPE OR DIFFERENT FUNCTION; CONTROL SYSTEMS SPECIALLY ADAPTED FOR HYBRID VEHICLES; ROAD VEHICLE DRIVE CONTROL SYSTEMS FOR PURPOSES NOT RELATED TO THE CONTROL OF A PARTICULAR SUB-UNIT
- B60W50/00—Details of control systems for road vehicle drive control not related to the control of a particular sub-unit, e.g. process diagnostic or vehicle driver interfaces
- B60W50/02—Ensuring safety in case of control system failures, e.g. by diagnosing, circumventing or fixing failures
- B60W50/029—Adapting to failures or work around with other constraints, e.g. circumvention by avoiding use of failed parts
- B60W2050/0292—Fail-safe or redundant systems, e.g. limp-home or backup systems
-
- B—PERFORMING OPERATIONS; TRANSPORTING
- B60—VEHICLES IN GENERAL
- B60W—CONJOINT CONTROL OF VEHICLE SUB-UNITS OF DIFFERENT TYPE OR DIFFERENT FUNCTION; CONTROL SYSTEMS SPECIALLY ADAPTED FOR HYBRID VEHICLES; ROAD VEHICLE DRIVE CONTROL SYSTEMS FOR PURPOSES NOT RELATED TO THE CONTROL OF A PARTICULAR SUB-UNIT
- B60W2556/00—Input parameters relating to data
Landscapes
- Engineering & Computer Science (AREA)
- Automation & Control Theory (AREA)
- Transportation (AREA)
- Mechanical Engineering (AREA)
- Human Computer Interaction (AREA)
- Radar, Positioning & Navigation (AREA)
- Aviation & Aerospace Engineering (AREA)
- Remote Sensing (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- Artificial Intelligence (AREA)
- Evolutionary Computation (AREA)
- Game Theory and Decision Science (AREA)
- Medical Informatics (AREA)
- Business, Economics & Management (AREA)
- Control Of Driving Devices And Active Controlling Of Vehicle (AREA)
Abstract
A vehicle, an operating system of the vehicle and a method of operating the vehicle are disclosed. A local electronic control unit is operated on the vehicle to control the vehicle. The backup electronic control unit operates on the remote computing platform to control the vehicle. In the event of a failure of the local electronic control unit, control of the vehicle is transferred from the local electronic control unit to the backup electronic control unit.
Description
Technical Field
The subject disclosure relates to systems and methods for increasing fault tolerance capability, and in particular, to providing a replication control system for a vehicle using a cloud computing platform.
Background
The autonomous vehicle includes a master control system that performs various calculations and issues various commands to operate without driver input. In the event of a fault, the autonomous vehicle may notify the driver so as to return control of the vehicle to the driver. However, such a transition requires waiting for the driver to respond to a signal provided by the vehicle, which may mean that the vehicle remains in operation for a long period of time. To maintain control during this transition time, autonomous vehicles typically have redundant or auxiliary control systems that control the vehicle when a failure occurs in the main control system. This redundancy results in additional hardware and software requirements for the vehicle, which results in additional space requirements and costs. Accordingly, it is desirable to provide a redundant control system without incurring the cost or space requirements of the vehicle.
Disclosure of Invention
In one exemplary embodiment, a method of operating a vehicle is disclosed. A local electronic control unit is operated on the vehicle to control the vehicle. A backup electronic control unit operates on the remote computing platform to control the vehicle. In the event of a failure of the local electronic control unit, control of the vehicle is transferred from the local electronic control unit to the backup electronic control unit.
In addition to one or more features described herein, the remote computing platform is a cloud processor and the standby electronic control unit is a virtual electronic control unit. The same input will be sent to both the local electronic control unit and the standby electronic control unit. In one embodiment, the backup electronic control unit sends a backup output to the vehicle and initiates a fault mitigation procedure on the vehicle when the vehicle does not receive the backup output. In another embodiment, the local electronic control unit generates a local output, the backup electronic control unit generates a backup output, and the fault mitigation procedure is initiated when a difference between the local output and the backup output is detected. The local state of the local electronic control unit is sent to the remote computing platform and the standby state of the standby electronic control unit is updated to the local state of the local electronic control unit. In one embodiment, the backup electronic control unit includes a first backup electronic control unit that generates a first backup output and a second backup electronic control unit that generates a second backup output, and the method further includes comparing the local output of the local electronic control unit to at least one of the first backup output and the second backup output on the remote computing platform.
In another exemplary embodiment, an operating system for a vehicle is disclosed. The operating system includes a local electronic control unit of the vehicle and a remote computing platform. The local electronic control unit is configured to control the vehicle. The remote computing platform provides a backup electronic control unit configured to control the vehicle. In the event of a failure at the local electronic control unit, the vehicle transfers control of the vehicle from the local electronic control unit to the backup electronic control unit.
In addition to one or more features described herein, the remote computing platform is a cloud processor and the standby electronic control unit is a virtual electronic control unit. The local electronic control unit and the standby electronic control unit operate using the same inputs. In one embodiment, the backup electronic control unit sends a backup output to the vehicle, and the vehicle initiates a fault mitigation procedure when the vehicle does not receive the backup output. In another embodiment, the local electronic control unit generates a local output, the backup electronic control unit generates a backup output, and the vehicle initiates the fault mitigation procedure when a difference between the local output and the backup output is detected. The vehicle transmits the local state of the local electronic control unit to the remote computing platform and the standby electronic control unit updates its standby state to the local state of the local electronic control unit. In one embodiment, the backup electronic control unit includes a first backup electronic control unit that generates a first backup output and a second backup electronic control unit that generates a second backup output, and the cloud watchdog of the remote computing platform compares the local output of the local electronic control unit to at least one of the first backup output and the second backup output.
In another exemplary embodiment, a vehicle is disclosed. The vehicle includes a local electronic control unit configured to control the vehicle. The vehicle is in communication with a remote computing platform configured to provide a backup electronic control unit for controlling the vehicle. The vehicle is configured to transfer control of the vehicle from the local electronic control unit to the backup electronic control unit when the local electronic control unit fails.
In addition to one or more features described herein, the local electronic control unit and the standby electronic control unit operate using the same inputs. In one embodiment, the backup electronic control unit sends the backup output to the vehicle, and the vehicle is further configured to initiate the fault mitigation procedure when the backup output is not received on the vehicle. In another embodiment, the local electronic control unit generates a local output, the backup electronic control unit generates a backup output, and the vehicle is further configured to initiate the fault mitigation procedure upon detecting a difference between the local output and the backup output. The vehicle is further configured to transmit the local state of the local electronic control unit to the remote computing platform to update the standby state of the standby electronic control unit to the local state of the local electronic control unit. In one embodiment, the backup electronic control unit further comprises a first backup electronic control unit that generates a first backup output; and a second standby electronic control unit that generates a second standby output; the vehicle is configured to operate based on a comparison of a local output of the local electronic control unit to at least one of a first backup output and a second backup output performed at a cloud watchdog of the remote computing platform.
The above features and advantages and other features and advantages of the present disclosure will be readily apparent from the following detailed description when taken in connection with the accompanying drawings.
Drawings
Other features, advantages and details appear, by way of example only, in the following detailed description, the detailed description referring to the drawings in which:
FIG. 1 illustrates a vehicle in an exemplary embodiment;
FIG. 2 shows a block diagram of an operating system for operating a vehicle in the event of a fault in a control unit of the vehicle;
FIG. 3 shows a block diagram of an alternative operating system for operating an autonomous vehicle in the event of a failure in a control unit of the vehicle;
FIG. 4 shows a data flow diagram illustrating the operation of the operating system of FIG. 2 or FIG. 3;
FIG. 5 shows a data flow diagram 500 illustrating additional data operations of the operating system of FIGS. 2 and 3;
FIG. 6 illustrates a data flow diagram 600 showing additional data operations of the operating system of FIGS. 2 and 3; and
fig. 7 shows a data flow diagram 700 illustrating the operation of the operating system of fig. 2 and 3.
Detailed Description
The following description is merely exemplary in nature and is not intended to limit the present disclosure, application, or uses. It should be understood that throughout the drawings, corresponding reference numerals indicate like or corresponding parts and features.
According to an exemplary embodiment, FIG. 1 illustrates a vehicle 10. In the exemplary embodiment, vehicle 10 is a semi-autonomous or autonomous vehicle. In various embodiments, the vehicle 10 includes at least one driver assistance system for steering and accelerating/decelerating using information about the driving environment (e.g., cruise control and lane centering). The driver may be taken off physical operation of the vehicle 10 by simultaneously taking his hands off the steering wheel and pressing on the pedal, but the driver must be ready to control the vehicle.
In general, the trajectory planning system 100 determines a trajectory plan for autonomous driving of the vehicle 10. Vehicle 10 generally includes a chassis 12, a body 14, front wheels 16, and rear wheels 18. The body 14 is disposed on the chassis 12 and substantially encloses the components of the vehicle 10. The body 14 and the chassis 12 may together form a frame. The wheels 16 and 18 are each rotationally coupled to the chassis 12 near a respective corner of the body 14.
As shown, the vehicle 10 generally includes a propulsion system 20, a transmission system 22, a steering system 24, a braking system 26, a sensor system 28, an actuator system 30, and at least one data storage device 32. In various embodiments, propulsion system 20 may include an internal combustion engine, an electric machine such as a traction motor, and/or a fuel cell propulsion system. Transmission system 22 is configured to transmit power from propulsion system 20 to wheels 16 and 18 according to selectable speed ratios. According to various embodiments, transmission system 22 may include a step ratio automatic transmission, a continuously variable transmission, or other suitable transmission. The braking system 26 is configured to provide braking torque to the wheels 16 and 18. In various embodiments, the braking system 26 may include a friction brake, a line brake, a regenerative braking system such as an electric motor, and/or other suitable braking systems. Steering system 24 affects the position of wheels 16 and 18. Although depicted as including a steering wheel for illustrative purposes, it is contemplated within the scope of the present disclosure that steering system 24 may not include a steering wheel.
The sensor system 28 includes one or more sensing devices 40a-40n that sense observable conditions of the external environment and/or the internal environment of the vehicle 10. Sensing devices 40a-40n may include, but are not limited to: radar, lidar, global positioning systems, optical cameras, thermal imagers, ultrasonic sensors, and/or other sensors for observing and measuring external environmental parameters. The sensing devices 40a-40n may further include brake sensors, steering angle sensors, wheel speed sensors, etc. for observing and measuring in-vehicle parameters of the vehicle. The cameras may include two or more digital cameras spaced a selected distance from each other, wherein the two or more digital cameras are used to obtain stereoscopic images of the surrounding environment in order to obtain three-dimensional images. Actuator system 30 includes one or more actuator devices 42a-42n that control one or more vehicle features such as, but not limited to, propulsion system 20, transmission system 22, steering system 24, and braking system 26. In various embodiments, the vehicle features may further include interior and/or exterior vehicle features such as, but not limited to, doors, trunk, and cabin features, such as air, music, lighting, etc. (not numbered).
The at least one controller 34 includes at least one processor 44 and a computer-readable storage device or medium 46. The at least one processor 44 may be any custom made or commercially available processor, a Central Processing Unit (CPU), a Graphics Processing Unit (GPU), an auxiliary processor among multiple processors associated with the at least one controller 34, a semiconductor based microprocessor (in the form of a microchip or chip set), a macroprocessor, any combination thereof, or generally any device for executing instructions. The computer-readable storage device or medium 46 may include volatile and non-volatile memory such as Read Only Memory (ROM), Random Access Memory (RAM), and Keep Alive Memory (KAM). The KAM is a persistent or non-volatile memory that may be used to store various operating variables when at least one processor 44 is powered down. The computer-readable storage device or medium 46 may be implemented using any of a number of known storage devices, such as PROMs (programmable read Only memory), EPROMs (electrically PROM), EEPROMs (electrically erasable PROM), flash memory, or any other electrical, magnetic, optical, or combination storage devices capable of storing data used by at least one controller 34 in controlling the vehicle 10, some of which represent executable instructions.
The instructions may comprise one or more separate programs, each of which comprises an ordered listing of executable instructions for implementing logical functions. The instructions, when executed by the at least one processor 44, receive and process signals from the sensor system 28, execute logic, calculations, methods, and/or algorithms for automatically controlling components of the vehicle 10, and generate control signals to the actuator system 30 to automatically control components of the vehicle 10 based on the logic, calculations, methods, and/or algorithms. Although only one controller is shown in fig. 1, embodiments of the vehicle 10 may include any number of controllers that communicate and cooperate via any suitable communication medium or combination of communication media to process sensor signals, perform logic, calculations, methods and/or algorithms, and generate control signals to automatically control features of the vehicle 10.
The communication system 36 is configured to wirelessly communicate information to other entities 48 or from other entities 48, such as, but not limited to, other vehicles ("V2V" communications), infrastructure ("V2I" communications), remote systems, and/or personal devices. In an exemplary embodiment, the communication system 36 is a wireless communication system configured to communicate via a Wireless Local Area Network (WLAN) using the IEEE 802.11 standard or by using cellular data communication. However, additional or alternative communication methods, such as Dedicated Short Range Communication (DSRC) channels, are also contemplated within the scope of the present disclosure. A DSRC channel refers to a one-way or two-way short-to-medium-range wireless communication channel designed specifically for automotive use and a corresponding set of protocols and standards.
Fig. 2 shows a block diagram of an operating system 200 for operating the vehicle 10 in the event of a fault in a control unit of the vehicle. The operating system 200 includes vehicle electronics 202 and a remote computing platform 204. The vehicle electronics 202 include a plurality of Electronic Control Units (ECUs) 206 on the vehicle 10 for controlling and operating various components of the vehicle. A plurality of ECUs 206 are connected to a gateway 208, and the gateway 208 provides a communication path between the ECUs 206 and a telematics module 210. The telematics module transmits data from the ECU 206 to the remote computing platform 204 and also receives data from the remote computing platform 204. The telematics module 210 may communicate with the remote computing platform 204 using any suitable protocol, such as, but not limited to, 4G cellular, 5G cellular, IEEE 802.11x (WiFi, DSRC). The operating system 200 includes the ability to wirelessly download new features or software updates to the vehicle.
The remote computing platform 204 may include any suitable remote computer 212, such as a cloud computer, cloud processor, cloud computer cluster or multiple access edge computing system, and the like. In various embodiments, the remote computing platform 204 operates a virtual ECU to act as a backup for the local ECU of the autonomous automobile. For illustrative purposes, the first local ECU 220 and the second local ECU222 are shown as components of the vehicle electronics 202. The remote computing platform 204 is shown operating a first backup ECU 224 as a backup for the first local ECU 220 and a second backup ECU 226 as a backup for the second local ECU 222. A main software process 228 for controlling the vehicle 10 or components of the vehicle runs on the first local ECU 220. At the same time, a backup software process 230 runs on first backup ECU 224 to provide continuous operation of the vehicle in the event of a failure of first local ECU 220.
Fig. 3 shows a block diagram of an alternative operating system 300 for operating an autonomous vehicle in the event of a failure in a control unit of the vehicle. The alternate operating system 300 includes a zone-based vehicle electronics 302 and a remote computing platform 204. The zone-based vehicle electronics 302 includes a plurality of zone modules 304. Each zone module 304 controls and operates various electronics (not shown) within a selected zone of the vehicle 10. The zone module 304 communicates with various computer modules. For illustrative purposes, a first computer module 306 and a second computer module 308 are shown. In various embodiments, the zone module 304 may collect data from various sensors within the zone and transmit the data to one or more of the first computer module 306 and the second computer module 308, which may process the data and return commands to the zone module 304 for operating the electronics within the selected zone.
In various embodiments, the remote computing platform 204 may include any suitable remote computer 212, such as a cloud computer, cloud processor, cloud computer cluster, or multiple access edge computing system. The remote computing platform 204 operates at least one virtual ECU to serve as a backup for the computer modules of the vehicle 10. For purposes of illustration, a first backup ECU 312 and a second backup ECU 314 are shown, both of which may be virtual ECUs. The first computer module 306 and the second computer module 308 may communicate with the remote computing platform 204 using any suitable protocol, such as, but not limited to, 4G cellular, 5G cellular, IEEE 802.11x (WiFi, DSRC).
For illustrative purposes, a main software process 310 for controlling a vehicle or vehicle component is being executed on the first computer module 306. A backup software process 316 is being executed on the first backup ECU 312 of the remote computing platform 204 to provide continuous operation of the vehicle in the event of a failure of the first computer module 306.
FIG. 4 illustrates a data flow diagram 400 in one embodiment, the data flow diagram 400 illustrating operation of the operating system of FIG. 2 or FIG. 3. The data flow diagram 400 includes various processes performed at the vehicle electronics 202 as well as other processes performed at the remote computing platform 204.
For illustrative purposes, only the first local ECU 220 of the vehicle electronics 202 is shown. Various operations of the vehicle electronic device 202 are performed on the first local ECU 220. The first local ECU 220 receives the input (block 402) and uses the input to execute a main routine (block 404) and generate an output (block 406). The input may be any data or sensed measurement received at the vehicle, and the output may be a command or value to be displayed in various embodiments. In various embodiments, the operation of the first local ECU 220 may be periodic or occasional or event-based. The output is provided to an actuator device (block 408) or other suitable device of the vehicle 10 to perform an action on the vehicle based on the input to the first local ECU 220.
Similarly, for illustrative purposes, the remote computing platform 204 is shown with only the first backup ECU 224. The input (or a copy of the input) provided to the first local ECU 220 is transmitted or sent to the remote computing platform 204 (block 410) and used as an input for the first standby ECU 224. The first standby ECU 224 receives the input (block 412) and executes the standby program (block 414), thereby generating a standby output (block 416). The standby program is generally the same as the main program executed at the first local ECU 220. The backup output may be transmitted from the remote computing platform 204 (block 418) and received at the vehicle electronics 202 (block 420). In the event of a fault on the first local ECU 220 and therefore no output is produced on the first local ECU 220, then the backup output may be used to control operation of the actuator device (block 408).
The vehicle electronics 202 also includes a local watchdog program (block 422) that monitors the operation of the vehicle electronics 202 and the first local ECU 220. In one embodiment, the local watchdog program (block 422) monitors receipt of standby output from the remote computing platform 204. The local watchdog program (block 422) allows normal operation of the first local ECU and the vehicle electronics 202 as long as the backup output is received at regular or expected intervals. If there is an interruption in the reception of the alternate output, or if the alternate output is no longer being received, the local watchdog program (block 422) may begin a fault mitigation operation (block 424). The failure mitigation may include shutting down the vehicle, giving control of the vehicle to the driver, issuing an alarm, initiating a maintenance procedure, etc.
The remote computing platform 204 also includes a remote watchdog program for comparing the backup output to the local output (block 426). In various embodiments, local outputs from the first local ECU 220 are sent (block 430) to a watchdog program (block 426) and a standby output (block 416). The remote watchdog program (block 426) compares the backup output to the local output to determine if the outputs match each other, indicating proper operation of the first local ECU 220. The comparison result may be used to inform the vehicle electronics, which may begin the process of reducing the malfunction.
FIG. 5 illustrates a data flow diagram 500 in one embodiment, the data flow diagram 500 illustrating additional data operations of the operating system of FIGS. 2 and 3. Data flow diagram 500 includes the data operations discussed with respect to fig. 4. The additional data operations of fig. 5 provide insight into the difference between the local output and the alternate output. The local output may be saved in a buffer (block 502). Backup output is received at the vehicle electronics 202 from the remote computing platform 204 (block 420). The local output from the buffer and the received standby output are compared to each other (block 504). The comparison is used to detect any error or difference between the local output and the standby output. Such a difference may indicate an error at the first local ECU 220, requiring notification to the driver. Upon detection of an error or discrepancy, a signal may be sent to a fault mitigation routine (block 424) to perform a shutdown or upgrade to driver control. In various embodiments, fault mitigation includes transferring operation of the vehicle to a remote computing platform, or in other words, using the backup output to operate the vehicle or an actuator of the vehicle. The backup output may be used when the vehicle takes other mitigating steps, such as shutting down the vehicle, giving control of the vehicle to the driver, sounding an alarm, initiating a maintenance procedure, etc.
FIG. 6 illustrates a data flow diagram 600 in one embodiment, the data flow diagram 600 illustrating additional data operations of the operating system of FIGS. 2 and 3. Data flow diagram 500 includes the data operations discussed with respect to fig. 5. Further, the dataflow diagram 600 includes data operations for notifying the remote computing platform 204 of the local status of the first local ECU 220. During normal operation of the first local ECU 220, the first ECU backup 224 may run intermediately or temporarily, only updating its backup status so as to maintain more or less current with the operation or current status of the first local ECU 220. The first local ECU 220 may send parameters indicative of its local status to the remote computing platform 204 (block 602). The status parameters are received at the remote computing platform 204 (block 604). The status parameters are used at the remote computing platform 204 to run or update the first backup ECU 224 to mitigate latency between the first backup ECU 224 and the first local ECU 220 (block 606). For example, when the first backup ECU 224 is behind the first local ECU 220 by a selected time threshold, the first backup ECU 224 may operate to update its state (backup state) to the local state of the first local ECU 220.
Fig. 7 illustrates a data flow diagram 700 of the operation of the operating system of fig. 2 and 3 in an alternative embodiment. In the vehicle electronics 202, the first local ECU 220 receives inputs (block 402), uses these inputs to execute a main routine (block 404) and generates outputs (block 406), which are sent to appropriate actuator devices (block 408) to control the vehicle or components of the vehicle. The input is also sent to the remote computing platform 204 (block 410).
The remote computing platform 204 includes a plurality of backup ECUs 724 that provide redundancy to the first local ECU 220. For illustrative purposes, the plurality of backup ECUs 724 includes a first backup ECU and a second backup ECU. The first standby ECU receives an input (block 412) and executes a first standby routine (block 414) on the input to generate a first standby output (block 416). The second standby ECU receives the input (block 412) and executes a second standby routine (block 415) on the input to generate a second standby output (block 417). Sending the first standby output (block 416) and the second standby output (block 417) to a cloud watchdog (block 426)
In various embodiments, the local output is sent (block 702) to the cloud watchdog (block 426) of the remote computing platform 204 for data integrity checking. The local output, the first standby output, and the second standby output are compared to each other at the cloud watchdog (block 426). The remote cloud watchdog program (block 426) may compare the local output, the first backup output, and the second backup output to one another to determine whether a malfunction or failure exists at the first local ECU 220. The remote watchdog program (block 426) may perform a triple-mode redundant vote to provide sufficient output for temporary control of the vehicle. Based on the results of the tri-modal redundancy, any potential safety failures or potential adverse behaviors are notified to the vehicle electronics 202 (block 704). At the vehicle electronics 202, cloud data integrity is checked (block 706). In various embodiments, the data integrity check may be performed using symmetric key encryption. If a fault is confirmed, the vehicle executes a fault mitigation routine (block 424).
While the foregoing disclosure has been described with reference to exemplary embodiments, it will be understood by those skilled in the art that various changes may be made and equivalents may be substituted for elements thereof without departing from the scope of the invention. In addition, many modifications may be made to adapt a particular situation or material to the teachings of the disclosure without departing from the essential scope thereof. Therefore, it is intended that the disclosure not be limited to the particular embodiments disclosed, but that the disclosure will include all embodiments falling within its scope.
Claims (10)
1. A method of operating a vehicle, comprising:
operating a local electronic control unit at the vehicle to control the vehicle;
operating a backup electronic control unit at a remote computing platform to control the vehicle; and
in the event of a failure of the local electronic control unit, control of the vehicle is transferred from the local electronic control unit to the backup electronic control unit.
2. The method of claim 1, wherein the backup electronic control unit transmits a backup output to the vehicle, further comprising initiating a fault mitigation procedure at the vehicle when the backup output is not received at the vehicle.
3. The method of claim 1, wherein the local electronic control unit generates a local output and the standby electronic control unit generates a standby output, further comprising initiating a fault mitigation procedure when a difference is detected between the local output and the standby output.
4. The method of claim 1, further comprising sending a local state of the local electronic control unit to the remote computing platform and updating a standby state of the standby electronic control unit to the local state of the local electronic control unit.
5. The method of claim 1, wherein the backup electronic control unit further comprises a first backup electronic control unit that generates a first backup output; and a second backup electronic control unit that generates a second backup output, further comprising comparing the local output of the local electronic device with at least one of the first backup output and the second backup output at the remote computing platform.
6. An operating system for a vehicle, comprising:
a local electronic control unit of the vehicle configured to control the vehicle; and
a remote computing platform configured to provide a backup electronic control unit configured to control the vehicle;
wherein the vehicle transfers control of the vehicle from the local electronic control unit to the backup electronic control unit upon a failure at the local electronic control unit.
7. The operating system of claim 6 wherein the backup electronic control unit sends a backup output to the vehicle and the vehicle initiates a fault mitigation procedure when the backup output is not received at the vehicle.
8. The operating system of claim 6, wherein the local electronic control unit generates a local output, the backup electronic control unit generates a backup output, and the vehicle initiates a fault mitigation procedure when a difference between the local output and the backup output is detected.
9. The operating system of claim 6, wherein the vehicle transmits a local state of the local electronic control unit to the remote computing platform, and the standby electronic control unit updates its standby state to the local state of the local electronic control unit.
10. The operating system of claim 6, wherein the standby electronic control unit further comprises a first standby electronic control unit that generates a first standby output; and a second backup electronic control unit that generates a second backup output, wherein a cloud watchdog of the remote computing platform compares a local output of the local electronic control unit to at least one of the first backup output and the second backup output.
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| US16/584,510 US11318953B2 (en) | 2019-09-26 | 2019-09-26 | Fault-tolerant embedded automotive applications through cloud computing |
| US16/584,510 | 2019-09-26 |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112550313A true CN112550313A (en) | 2021-03-26 |
Family
ID=75041084
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011013752.3A Pending CN112550313A (en) | 2019-09-26 | 2020-09-24 | Fault-tolerant embedded automotive application through cloud computing |
Country Status (2)
| Country | Link |
|---|---|
| US (1) | US11318953B2 (en) |
| CN (1) | CN112550313A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113044063A (en) * | 2021-03-31 | 2021-06-29 | 重庆长安汽车股份有限公司 | Functional redundancy software architecture for advanced autopilot |
| CN113442948A (en) * | 2021-07-09 | 2021-09-28 | 深圳元戎启行科技有限公司 | Automatic driving method and device based on cloud reasoning service and computer equipment |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US5001641A (en) * | 1987-03-20 | 1991-03-19 | Sumitomo Electric Industries, Ltd. | Multiple control circuit |
| US20060047381A1 (en) * | 2004-08-31 | 2006-03-02 | Nguyen Huan T | Automated vehicle calibration and testing system via telematics |
| KR101459493B1 (en) * | 2013-10-08 | 2014-11-07 | 현대자동차 주식회사 | Apparatus and method for controlliing vehicle |
| WO2015152167A1 (en) * | 2014-03-31 | 2015-10-08 | 日本信号株式会社 | Redundant control device and system switching method |
| CN107444485A (en) * | 2017-07-28 | 2017-12-08 | 安徽江淮汽车集团股份有限公司 | Electricity keeps the system and method for power-assisted steering under a kind of electric vehicle |
| WO2018065973A1 (en) * | 2016-10-06 | 2018-04-12 | Red Bend Ltd. | Systems and methods for handling a vehicle ecu malfunction |
| CN108974015A (en) * | 2017-06-01 | 2018-12-11 | 通用汽车环球科技运作有限责任公司 | Under failure for being required with finite availability can operating function asymmetric system framework |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2018004638A1 (en) * | 2016-07-01 | 2018-01-04 | Ford Global Technologies, Llc | Roadside assistance with unmanned aerial vehicle |
| US10752282B2 (en) * | 2017-10-04 | 2020-08-25 | Steering Solutions Ip Holding Corporation | Triple redundancy failsafe for steering systems |
| US10862908B2 (en) * | 2018-08-09 | 2020-12-08 | Hrl Laboratories, Llc | System and method for consensus ordering of broadcast messages |
-
2019
- 2019-09-26 US US16/584,510 patent/US11318953B2/en active Active
-
2020
- 2020-09-24 CN CN202011013752.3A patent/CN112550313A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US5001641A (en) * | 1987-03-20 | 1991-03-19 | Sumitomo Electric Industries, Ltd. | Multiple control circuit |
| US20060047381A1 (en) * | 2004-08-31 | 2006-03-02 | Nguyen Huan T | Automated vehicle calibration and testing system via telematics |
| KR101459493B1 (en) * | 2013-10-08 | 2014-11-07 | 현대자동차 주식회사 | Apparatus and method for controlliing vehicle |
| WO2015152167A1 (en) * | 2014-03-31 | 2015-10-08 | 日本信号株式会社 | Redundant control device and system switching method |
| WO2018065973A1 (en) * | 2016-10-06 | 2018-04-12 | Red Bend Ltd. | Systems and methods for handling a vehicle ecu malfunction |
| CN108974015A (en) * | 2017-06-01 | 2018-12-11 | 通用汽车环球科技运作有限责任公司 | Under failure for being required with finite availability can operating function asymmetric system framework |
| CN107444485A (en) * | 2017-07-28 | 2017-12-08 | 安徽江淮汽车集团股份有限公司 | Electricity keeps the system and method for power-assisted steering under a kind of electric vehicle |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113044063A (en) * | 2021-03-31 | 2021-06-29 | 重庆长安汽车股份有限公司 | Functional redundancy software architecture for advanced autopilot |
| CN113442948A (en) * | 2021-07-09 | 2021-09-28 | 深圳元戎启行科技有限公司 | Automatic driving method and device based on cloud reasoning service and computer equipment |
| CN113442948B (en) * | 2021-07-09 | 2024-01-23 | 深圳元戎启行科技有限公司 | Automatic driving method and device based on cloud reasoning service and computer equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| US20210094559A1 (en) | 2021-04-01 |
| US11318953B2 (en) | 2022-05-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11492011B2 (en) | Autonomous driving control device and method for autonomous driving control of vehicles | |
| KR102417910B1 (en) | Apparatus and method for controlling vehicle platooning | |
| CN110035939B (en) | Vehicle control device | |
| EP3980309B1 (en) | Autonomous vehicle control system | |
| US10845800B2 (en) | Vehicle software check | |
| JP2008505012A (en) | Redundant data bus system | |
| CN109383518A (en) | Redundancy active control system is coordinated | |
| KR101802858B1 (en) | Integrated data processing system and method for vehicle | |
| US11396301B2 (en) | Vehicle control apparatus, vehicle control method, and non-transitory computer-readable storage medium storing program | |
| US11214271B1 (en) | Control system interface for autonomous vehicle | |
| US20210229685A1 (en) | Vehicle control apparatus, vehicle, vehicle control method, and non-transitory computer-readable storage medium | |
| CN114684185A (en) | Vehicle safety response control hierarchy for automated vehicle safety control and corresponding method | |
| CN112550313A (en) | Fault-tolerant embedded automotive application through cloud computing | |
| US11740889B2 (en) | Software update apparatus, software update method, non-transitory storage medium storing program, vehicle, and OTA master | |
| KR20200022674A (en) | Apparatus for controlling fail-operational of vehicle, and method thereof | |
| US10394241B2 (en) | Multi-stage voting control | |
| KR101914624B1 (en) | Processor for preventing accident of automatic driving system and method of the same | |
| US11066080B2 (en) | Vehicle control device and electronic control system | |
| JP2003015741A (en) | Automatic operation system for vehicle | |
| WO2021234947A1 (en) | Vehicle control system, vehicle integrated control device, electronic control device, network communication device, vehicle control method, and vehicle control program | |
| EP3813307A1 (en) | Ecu for communication | |
| US11158139B2 (en) | Vehicle telematics system | |
| KR102456794B1 (en) | Apparatus for controlling brake of autonomous driving vehicle | |
| US20220300403A1 (en) | Isolated software testing in production vehicles | |
| US20230286451A1 (en) | Vehicle interface system and/or method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |